Question #584
A developer needs to deploy an application across multiple AWS Regions to improve latency. The existing Amazon Machine Images (AMIs) in the source Region are not encrypted, but company policy mandates encryption in all Regions. The developer must ensure all AMIs are encrypted before deployment in the new Region.
How can the developer achieve this while complying with the encryption policy?
Create new AMIs with encryption enabled during creation. Copy the encrypted AMIs to the destination Region. Remove the unencrypted AMIs from the source Region.
Use AWS KMS to re-encrypt the existing unencrypted AMIs. Copy the re-encrypted AMIs to the destination Region.
Enable default encryption for all AMIs using AWS Config. Copy the AMIs to the destination Region after encryption is applied.
Copy the unencrypted AMIs to the destination Region. Use AWS Lambda to encrypt the AMIs after copying.
Explanation
Answer A is correct because:
1. AMIs cannot be retroactively encrypted. Creating new AMIs with encryption enabled during creation is the only way to ensure encryption compliance.
2. Copying encrypted AMIs to the destination Region retains their encryption status.
3. Removing unencrypted AMIs aligns with the company's encryption policy.
Why other options are incorrect:
- B: AWS KMS cannot re-encrypt existing AMIs; encryption must be applied during AMI creation.
- C: AWS Config manages compliance but cannot retroactively encrypt existing AMIs. Default encryption applies only to new EBS volumes, not existing AMIs.
- D: AMIs cannot be encrypted after creation. Lambda cannot modify AMI encryption; a new encrypted AMI must be created.
Key Points:
- AMI encryption must be enabled at creation.
- Copying encrypted AMIs preserves encryption.
- Unencrypted AMIs cannot be modified to become encrypted.
Answer
The correct answer is: A